The Green Sheet Online Edition
October 22, 2007 • Issue 07:10:02
Is the PCI DSS pie in the sky? The NRF's Hogan wants to know
In a letter to the Payment Card Industry (PCI) Security Standards Council delivered Oct. 4, 2007, the National Retail Federation cited continued data security breaches despite the implementation of the PCI Data Security Standard (DSS) and the burden PCI compliance puts on merchants.
NRF Chief Information Officer David Hogan addressed the letter to Bob Russo, the PCI council's General Manager. He claimed that the PCI DSS has largely failed in its ultimate goal: to protect sensitive customer information from theft and fraudulent use. He argued that merchants should be required to store minimal customer data, if any.
Hogan wrote that it is "unlikely PCI will ever be able to keep pace with the continually evolving sophistication of the professional hacker, or anticipate every possible variation of future attacks. We believe the time has come to rethink the assumptions behind PCI."
According to Hogan, if the PCI DSS does not work, "the ultimate solution is to stop requiring merchants to store card data in the first place."
Hogan told The Green Sheet, "[Not storing the data] is a commonsense approach to reduce the risk of credit card fraud."
His idea was merchants should only have to store the authorization code provided at the time of sale and a truncated receipt. Therefore, the merchant would have a record of the transaction, showing approval by the credit card company. The sales receipt would be adequate as proof of purchase and in case of returns.
"Neither [the authorization code or the receipt] would contain the full account number. and would therefore be of no value to a potential thief," Hogan said.
But Adil Moussa, an Analyst for the Aite Group LLC, took issue with Hogan's plan. "Very logical, but really not the way to go," Moussa said. "The authorization code is not long enough. It's only six digits long and there is the possibility of duplication [of the numbers]."
Moussa preferred another approach that would use a "unique transaction code to identify the transaction and keep that record for ulterior processing of chargebacks if they happen."
But Scott Krugman, Vice President of Industry Public Relations at the NRF, disagreed with Moussa. He believes the authorization code and the receipt solution offered by Hogan would have enough accurate information in case of a chargeback.
"It's very, very, very simple," Krugman said. "The merchant should have [the customer's credit card number] only long enough to complete the transaction."
Moussa understood the NRF's concerns. "Mr. Hogan is saying, let's keep it simple," he said. "Why don't you, the card companies and the PCI council, simplify it so we, the merchants, don't have to jump through so many hoops?"
"All parties are interested in the same thing: To protect customers' information," Krugman said.
When it comes to merchants storing customer data, however, Hogan said the PCI council and the card Associations are "talking from both sides of their mouth."
Requirement 3 of the PCI DSS guidelines states:
- 3.1 Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.
- 3.2 Do not store sensitive authentication data subsequent to authorization (even if encrypted).
But, Hogan wrote, "Credit card company rules require merchants to store the credit card data that criminals are so eager to steal."
Hogan wondered if the card companies created the PCI DSS "to make money" from fines levied on merchants who do not achieve PCI compliance.
If the card Associations would agree in principal with his idea, Hogan believes it will be "good for the consumer. ... But if they [the card Associations] don't want to significantly reduce data breaches and ultimately credit card fraud, then they're not that serious about helping the consumer."
At press time, The Green Sheet had been unable to reach Mr. Russo for comment.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.